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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
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Status 

Responsive to communication(s) filed on 17 January 2007 . 
2a) □ This action is FINAL 2b)S This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 
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4) [>3 Claim(s) See Continuation Sheet is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) S Claim(s) See Continuation Sheet is/are rejected. 
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Application Papers 
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1 This action is in response to the communication filed on 1/17/2007. 

2 DETAILED ACTION 

3 Continued Examination Under 3 7 CFR 1.114 
4 

5 A request for continued examination under 37 CFR 1.114, including the fee set forth in 

6 37 CFR 1. 17(e), was filed in this application after final rejection. Since this application is 

7 eligible for continued examination under 37 CFR 1.1 14, and the fee set forth in 37 CFR 1. 17(e) 

8 has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 

9 37 CFR 1.114. Applicant's submission filed on 1/17/2007 has been entered. 

10 Response to Arguments 

1 1 Applicants' arguments filed 1/17/2007 have been fully considered but are moot in view 

12 of the new grounds of rejection presented below. 

13 Claims 1-3, 5-8, 12, 14-19, 21-24, 28, 30-35, 37-40, 44, 46-51, 53-56, 60, 62-67, 69-72, 

14 76, 78-83, 85-88, 92, 94-96, and 98 have been examined, while claims 4, 9-11, 13, 20, 25-27, 29, 

15 36, 41-43, 45, 52, 57-59, 61, 68, 73-75, 77, 84, 89-91, 93, and 97 have been cancelled. 

16 All objections and rejections not set forth below have been withdrawn. 

17 Any claim not specifically mentioned above has been rejected by virtue of its dependency 

18 to a specifically mentioned claim. 
19 

20 
21 
22 
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1 Claim Objections 

2 Claim 3 is objected to because of the following informalities: 

3 Line 2 recites "said resource data of said packed computer file comparing logic" which 

4 lacks antecedent basis in the claim language. The examiner will assume that this was meant to 

5 read "said resource data comparing logic" as is consistent with claim 1. 

6 Line 3 recites "said resource data" which has multiple antecedent basis in the claim. It is 

7 unclear to which resource data this is referring and therefore the ordinary person skilled in the art 

8 would not be able to determine the scope of the claim. For purposes of searching prior art, the 

9 examiner will assume that the limitation was meant to read "said resource data of said packed 

10 computer file" as is consistent with the rest of the claims. 

1 1 Appropriate correction is required. 
12 

13 

1 4 Claim Rejections - 35 USC §103 

15 The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

16 obviousness rejections set forth in this Office action: 

17 A patent may not be obtained though the invention is not identically disclosed or 

1 8 described as set forth in section 102 of this title, if the differences between the subject matter 

19 sought to be patented and the prior art are such that the subject matter as a whole would have 

20 been obvious at the time the invention was made to a person having ordinary skill in the art to 

21 which said subject matter pertains. Patentability shall not be negatived by the manner in which 

22 the invention was made. 
23 

24 Claims 1-3, 5-8, 12, 14-19, 21-24, 28, 30-35, 37-40, 44, 46-51, 53-56, 60, 62-67, 69-72, 

25 76, 78-83, 85-88, 92, 94-96, and 98 are rejected under 35 U.S.C. 103(a) as being unpatentable 



Application/Control Number: 09/9 12,389 Page 4 

Art Unit: 2131 

1 over Cozza (US Patent Number 5,649,095), and further in view of Arnold et al. (US Patent 

2 Number 5,442,699), hereinafter referred to as Arnold, and further in view of Pietrek ("Peering 

3 Inside the PE: A Tour of the Win 32 Portable Executable"). 

4 Regarding claims 1, 17, 33, 49, 65, and 81, Cozza disclosed a system, method, and 

5 computer program product in a computer storage medium (See Cozza Claims and Col. 1 Lines 

6 26-33) comprising a computer program operable to control a computer to detect a known 

7 computer program within a packed computer file, said packed computer file being unpacked 

8 upon execution, said computer program comprising (See Cozza Abstract and Col, 3 Paragraph 

9 6): resource data reading logic for reading resource data within said packed computer file (See 

10 Cozza Col. 6 Lines 21-23 and 29-34), said resource data specifying program resource items used 

1 1 by said known computer program (See Cozza Col. 2 Paragraph 7) and readable by a computer 

12 operating system without dependence upon which unpacking algorithm is used by said packed 

13 computer file (See Cozza Col. 6 Paragraphs 2-3 wherein the compressed file is not decompressed 

14 in order to read the resource forks information); and resource data comparing logic for 

15 generating characteristics of said resource data (See Cozza Col. 1 Lines 58-65 wherein it was 

16 inherent that the characteristic data was generated in order for the data to have been compared) 

17 and for comparing said characteristics of said resource data with characteristics of resource data 

18 of said known computer program (See Cozza Col. 7 Lines 35-39 and Col. 1 Lines 58-65) and for 

19 detecting a match with said known computer program indicative of said packed computer file 

20 containing said known computer program (See Cozza Col. 7 Lines 35-39 and Col. 1 Lines 58- 

21 65), wherein said resource data of said packed computer file is processed to generate fingerprint 

22 data (See Cozza Fig. 5); wherein said generated fingerprint data includes a number of program 
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1 resource items specified within said resource data of said packed computer file (See Cozza Fig. 5 

2 RESFORKLEN); wherein said generated fingerprint data includes a flag indicating which data is 

3 included within said -generated fingerprint data (See Cozza Fig. 5); wherein the fingerprint data 

4 includes a location within said resource data of an entry specifying a program resource item 

5 having a largest size (See Cozza Col. 6 Lines 29-45); wherein said generated fingerprint data 

6 includes a checksum value of the computer file (See Cozza Fig. 5), but Cozza failed to disclose 

7 wherein said generated fingerprint data is compared with fingerprint data of said known 

8 computer program; or that the checksum value was calculated in dependence upon: a number of 

9 said program resource items specified beneath each node within hierarchically arranged resource 

10 data of said packed computer file; string names associated with said program resource items 

11 within said resource data of said packed computer file; and sizes of said program resource items 

12 within said resource data of said packed computer file. However, Cozza did disclose the file 

13 including a number of program resource items specified within said resource data (See Cozza 

14 Col. 2 Paragraph 7). 

15 Pietrek teaches that a Win32 PE file is an executable file which contains un-initialized 

16 code and resources, which when executed the code is initialized using the resources (See Pietrek 

1 7 Page 2 1 PE File Base Relocations). 

1 8 Arnold teaches a method of virus scanning in which hashes of a file are created and 

19 compared to hashes of known viral patterns in order to detect computer viruses upon matching 

20 (See Arnold Col. 10 Lines 48-52). 

21 It would have been obvious to the ordinary person skilled in the art at the time of 

22 invention to employ the teachings of Pietrek in the virus detector of Cozza by allowing the 
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1 scanning of Win32 PE files and their resources. This would have been obvious because the 

2 ordinary person skilled in the art would have been motivated to provide protection against Win32 

3 PE files containing viruses. 

4 It further would have been obvious to the ordinary person skilled in the art at the time of 

5 invention to employ the teachings of Arnold in the virus scanning of Cozza by creating hashes of 

6 the data, including the resources, of the compressed file and comparing it to hashes of known 

7 viral patterns. This would have been obvious because the ordinary person skilled in the art 

8 would have been motivated to scan the files as quickly as possible, without compromising 

9 security. 

10 It would have been obvious in this combination that because the file contains the resource 

1 1 fork and resource items, and the hash is taken of the file, the signature includes a number of 

12 resource items specified within the resource fork. It further would have been obvious that 

13 because the fingerprint data represented the file during comparison, and the flags of Cozza 

14 indicated the viruses found in the file; the fingerprint data would have included a flag indicating 

15 which data (viruses) was included within said fingerprint data. 

16 It further would have been obvious that the checksum of the file in this combination 

17 would have been dependant upon a number of said program resource items specified beneath 

18 each node within hierarchically arranged resource data of said packed computer file; string 

19 names associated with said program resource items within said resource data of said packed 

20 computer file; and sizes of said program resource items within said resource data of said packed 

21 computer file, as Pietrek teaches that Win32 PE files are arranged in such a manner, as is seen is 

22 Pietrek Fig. 5 and Table 1 3 . 
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1 Regarding claims 2, 18, 34, 50, 66, and 82, Cozza, Arnold, and Pietrek disclosed that said 

2 known computer program is one of: a Trojan computer program; and a worm computer program 

3 (See Cozza Col. 1 Lines 22-32 and Col. 7 Lines 35-39). 

4 Regarding claims 3, 19, 35, 51, 67, and 83, Cozza, Arnold, and Pietrek disclosed that said 

5 resource data comparing logic is operable to compare said resource data with characteristics of a 

6 plurality of known computer programs to detect if said packed computer program contains one of 

7 said plurality of known computer programs (See Cozza Col. 7 Lines 35-40). 

8 Regarding claims 5, 21, 37, 53, 69, and 85, Cozza, Arnold, and Pietrek disclosed that said 

9 program resource items used by said known computer program include one or more of: icon 

10 data; string data; dialog data; bitmap data; menu data; and language data (See Cozza Col. 2 

1 1 Paragraph 7). 

12 Regarding claims 6-8, 22-24, 38-40, 54-56, 70-72, and 86-88, the combination of Cozza, 

13 Arnold, and Pietrek disclosed specifying a storage location for each resource item as an offset, 

14 and the size of each resource (See Pietrek Page 20 Table 13 Offsets and Page 21 Fig. 14 

15 DWORD OffsetToData). 

16 Regarding claims 12, 28, 44, 60, 76, and 92, Cozza, Arnold, and Pietrek disclosed that 

17 said generated fingerprint data includes timestamp data indicative of a time of compilation of 

18 said known computer program (See Cozza Fig. 5 VOLUMECRDATE). 

19 Regarding claims 14, 30, 46, 62, 78, 94, and 98, Cozza, Arnold, and Pietrek did not 

20 specifically disclose that the checksum is rotated between each item being added into said 

21 checksum, but SHA, which shifts 1 bit to the left after each operation, was a well known 
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1 checksum in the art at the time of invention, and as such it would have been obvious to the 

2 ordinary person skilled in the art to have used SHA as the checksum. 

3 Regarding claims 15, 31, 47, 63, 79, and 95, Cozza, Arnold, and Pietrek disclosed 

4 decompressing the computer program upon execution (See Pietrek Page 21 PE File Base 

5 Relocations). 

6 Regarding claims 16, 32, 48, 64, 80, and 96, see the rejection of claim 1 above. 
7 

8 

9 Conclusion 

10 Claims 1-3, 5-8, 12, 14-19, 21-24, 28, 30-35, 37-40, 44, 46-51, 53-56, 60, 62-67, 69-72, 

1 1 76, 78-83, 85-88, 92, 94-96, and 98 have been rejected. 

1 2 . Any inquiry concerning this communication or earlier communications from the 

13 examiner should be directed to Matthew T. Henning whose telephone number is (571) 272-3790. 

14 The examiner can normally be reached on M-F 8-4. 

15 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

16 supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 

17 organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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